b' DOE/IG-0569\n\n\n\n\n                                  THE FEDERAL ENERGY\n    EVALUATION                 REGULATORY COMMISSION\'S\n      REPORT                  UNCLASSIFIED CYBER SECURITY\n                                     PROGRAM 2002\n\n\n\n\n                                        SEPTEMBER 2002\n\n\n\n\n U.S. DEPARTMENT OF ENERGY\nOFFICE OF INSPECTOR GENERAL\n  OFFICE OF AUDIT SERVICES\n\x0c\x0c\x0cTHE FEDERAL ENERGY REGULATORY COMMISSION\'S CYBER\nSECURITY PROGRAM 2002\n\nTABLE OF\nCONTENTS\n\n\n\n               Overview\n\n               Introduction and Objective .......................................................... 1\n\n               Conclusions and Observations.................................................. 1\n\n\n               Cyber Security Program Weaknesses\n\n               Details of Finding ........................................................................ 3\n\n               Recommendations and Comments ............................................ 7\n\n\n               Appendices\n\n               1. Scope and Methodology ....................................................... 8\n\n               2. Related Reports .................................................................... 9\n\n               3. Management Comments ..................................................... 10\n\x0cOverview\n\nINTRODUCTION AND   The Department of Energy (Department) Organization Act established\nOBJECTIVE          the Federal Energy Regulatory Commission (Commission) in 1977.\n                   The Commission is an independent entity within the Department that\n                   regulates the transmission and sale of electric power, natural gas, oil,\n                   and hydroelectric power. The Commission\'s increasing reliance on\n                   information technology systems is consistent with satisfying the\n                   President\'s Management Agenda initiative of expanding electronic\n                   government. Specifically, the Commission expects to invest\n                   $23 million in information technology-related activities in\n                   Fiscal Year 2002. This substantial investment supports the\n                   development and maintenance of diverse information systems used to\n                   meet day-to-day mission requirements such as financial management,\n                   utility regulation, and licensing of hydroelectric projects.\n\n                   Congress enacted the Government Information Security Reform Act\n                   (GISRA) in October 2000 to codify existing policies and regulations\n                   and reiterate security responsibilities outlined in the Computer Security\n                   Act of 1987 and the Clinger-Cohen Act of 1996. GISRA focuses on\n                   program management, implementation, and evaluation aspects of the\n                   security of government information and requires agencies to conduct\n                   annual program reviews and independent evaluations of computer\n                   security programs.\n\n                   As required by GISRA and Office of Management and Budget (OMB)\n                   implementing guidance, the Office of Inspector General (OIG)\n                   performed an evaluation to determine whether the Commission\'s cyber\n                   security program protected data and information systems.\n\n\nCONCLUSIONS AND    While the Commission had implemented a number of protective\nOBSERVATIONS       measures, certain critical information systems remained at risk. Cyber\n                   protection efforts suffered from program management, planning, and\n                   execution weaknesses. Specifically, we noted that the Commission had\n                   not:\n\n                      \xe2\x80\xa2   developed system specific security plans;\n                      \xe2\x80\xa2   assured continuity of operations through adequate contingency\n                          and disaster recovery planning;\n                      \xe2\x80\xa2   implemented a completely effective cyber security training\n                          program; and\n                      \xe2\x80\xa2   adequately addressed certain configuration management and\n                          access control problems.\n\n\n\nPage 1                                                       Introduction and Objective/\n                                                          Conclusions and Observations\n\x0c         These vulnerabilities existed because the Commission had not provided\n         adequate management attention to implementing an effective cyber\n         security program. These problems placed the Commission\'s systems at\n         risk of unauthorized or malicious use and increased the potential for\n         compromise of sensitive operational and personnel-related data.\n\n         The Commission has taken several positive steps in an effort to\n         strengthen its cyber security program. The Office of the Chief\n         Information Officer (CIO) recently instituted procedures to review and\n         strengthen network passwords. The CIO is also in the process of\n         developing policies and procedures that should provide the framework\n         for a more fully developed cyber security program. In addition, an\n         Agency Plan of Action and Milestones database has been developed to\n         track cyber security weaknesses and related corrective actions. The\n         Commission is also working to develop and finalize an organization-\n         wide Cyber Security Action Plan. While program improvements have\n         occurred, additional work is necessary to ensure that critical\n         information technology resources are adequately protected.\n\n         Due to security considerations, information on specific vulnerabilities\n         and systems has been omitted from this report. Management officials\n         have been provided with detailed information regarding identified\n         vulnerabilities, and in some instances, have initiated corrective actions.\n\n         This audit identified issues that management should consider when\n         preparing its year-end assurance memorandum on internal controls.\n\n\n\n                                        _______(Signed)________\n                                        Office of Inspector General\n\n\n\n\nPage 2                                          Conclusions and Observations\n\x0cCyber Security Program Weaknesses\nSystems and Data    The Commission\'s cyber security program did not adequately protect\nRemain at Risk      information systems resources and data. Specifically, security plans\n                    had not always been prepared to mitigate risks or known vulnerabilities\n                    for specific systems. In addition, continuity of operations plans had not\n                    been developed and tested to permit quick recovery from a security-\n                    related system failure. Furthermore, the Commission had not ensured\n                    that staff and individuals with significant security responsibilities had\n                    received adequate cyber security training. Configuration management\n                    and access control weaknesses also increased the risk of malicious or\n                    unauthorized access to networks and systems.\n\n                                                System Security Planning\n\n                    While the Commission contracted with an independent entity to\n                    perform a vulnerability assessment on its information systems, we\n                    found that a system specific security plan addressing operational risks\n                    and remediation approaches had only been developed for one major\n                    system. Plans remained incomplete despite the identification of this\n                    issue during the Fiscal Year 2001 Financial Statement Audit. Although\n                    the Commission had not completed such plans, it had taken the\n                    incremental step of conducting an evaluation of its systems using the\n                    National Institute of Standards and Technology Special Publication\n                    800-26, Security Self-Assessment Guide for Information Technology\n                    Systems. However, at the time of our review, the Commission had only\n                    completed self-assessments on approximately 50 percent of its systems.\n\n                    Even though action had been taken to improve cyber security planning,\n                    additional steps are needed. Specifically, the Commission\'s Cyber\n                    Security Action Plan remained in draft and did not include all of the\n                    elements necessary for ensuring its effectiveness. For example, the\n                    draft plan did not include milestone dates critical to securing the\n                    information technology environment. In addition, a prioritized list of\n                    systems the Commission could use to identify mission critical1 systems\n                    had not been developed.\n\n                                                   Continuity Planning\n\n                    Continuity of operations plans to permit quick recovery from a security-\n                    related system failure or disruption of critical services were not in\n                    place. We noted that both organization-wide and systems specific\n\n\n                    1\n                     We considered a system to be mission critical if, in our opinion, it met the definition\n                    found in Section 3532(b)(2)(C), GISRA, i.e., if it "processes any information, the\n                    loss, misuse, disclosure, or unauthorized access to or modification of, would have a\n                    debilitating impact on the mission of an agency."\nPage 3                                                                               Details of Finding\n\x0c         contingency plans had not been developed or had not been approved.\n         While the Commission had taken action to mitigate the risk of system\n         failure by creating and storing computer data backup tapes off-site, it\n         had not tested the ability to restore such data at alternate processing\n         sites. Failure to develop and test such plans exposes the Commission to\n         the risk that it would be unable to restore critical networks and\n         information systems or maintain continuity of operations in the event of\n         a successful attack.\n\n                                         Training\n\n         The Commission\'s cyber security training program was also not\n         completely effective. While the Commission was proactive in\n         providing cyber security awareness training, it had not focused\n         sufficient attention on those individuals with significant security\n         responsibilities. Specifically, at the time of our evaluation, the\n         Commission had not identified the universe of such employees or\n         developed a core curriculum for them.\n\n                    Configuration Management and Access Controls\n\n         Configuration management weaknesses at the Commission presented\n         opportunities for malicious access by both internal and external entities\n         and increased the potential for unauthorized changes or damage to\n         software and data. For example, outdated software with known\n         vulnerabilities was observed on 11 servers. We also found improperly\n         configured or unsecured remote access and file transfer services on\n         numerous servers. Additionally, several system servers were\n         configured in a manner that could permit unauthorized access for\n         changing or obtaining information. The risk of malicious or\n         unauthorized access was exacerbated by the fact that software tools\n         installed on several systems did not permit auditing and monitoring of\n         unusual or potentially harmful system activity.\n\n         Weak access controls and poor password management also increased\n         the risk of unauthorized access. For instance, the Commission did not\n         always employ strong password controls to minimize the risks\n         associated with exploits such as automated guessing or "cracking"\n         programs. One system we evaluated did not require strong passwords\n         that contained an alphanumeric combination. Account access was\n         allowed without passwords for certain systems, including an\n         administrator account that could be used to access multiple servers.\n\n\n\nPage 4                                                         Details of Finding\n\x0c                            Several other systems did not require that passwords be changed at\n                            regular intervals. An important control designed to prevent "brute\n                            force" access through password guessing -- account lockout after\n                            numerous incorrect login attempts -- had not been activated on one\n                            server.\n\nProtection of Information   GISRA requires that each agency develop and implement an agency-\nResources                   wide cyber security program, consisting of policies, procedures, and\n                            control techniques, sufficient to protect information systems supporting\n                            agency operations and assets. GISRA focuses on program\n                            management, implementation, and evaluation aspects of the security of\n                            unclassified and national security information. It requires agencies to\n                            adopt a risk-based, life cycle approach to improving computer security\n                            and requires annual agency information security program reviews and\n                            independent evaluations of both unclassified and classified computer\n                            security programs. Specifically, GISRA requires:\n\n                              \xe2\x80\xa2    Periodic risk assessments that consider internal and external\n                                   threats to the integrity, confidentiality, and availability of\n                                   systems and data;\n                              \xe2\x80\xa2    Policies and procedures that are based on risk assessments that\n                                   cost-effectively reduce information security risk to an\n                                   acceptable level;\n                              \xe2\x80\xa2    Adequate training of staff responsible for cyber security;\n                              \xe2\x80\xa2    Cyber security awareness training for agency personnel;\n                              \xe2\x80\xa2    Periodic management testing and evaluation of the effectiveness\n                                   of the program;\n                              \xe2\x80\xa2    A process for ensuring remedial action to address significant\n                                   deficiencies; and,\n                              \xe2\x80\xa2    Procedures for detecting, reporting, and responding to cyber\n                                   security incidents.\n\nProgram Design and          Vulnerabilities existed because the Commission had not provided\nImplementation              adequate management attention to implementing an effective cyber\n                            security program. Specifically, organizational responsibilities had not\n                            been stressed sufficiently and performance measures for cyber security\n                            had not been developed.\n\n                            We identified instances where Commission management was either\n                            unaware of responsibilities, uncertain of their authorities, or had not\n                            coordinated effectively to ensure that needed actions were taken. For\n                            example,\n\n\n\nPage 5                                                                            Details of Finding\n\x0c              \xe2\x80\xa2   Although the Commission\'s interim directive for information\n                  technology security specifically assigned responsibility for\n                  developing and implementing system security plans to office\n                  directors, only one office had prepared such a plan. In\n                  addition, the one plan that had been prepared was not\n                  approved because the head of the office was not aware that it\n                  was his responsibility to approve it.\n\n              \xe2\x80\xa2   During the period under evaluation, officials from the Office\n                  of the CIO indicated that they lacked the authority for\n                  monitoring or administering security for all of the\n                  Commission\'s financial systems. For example, they noted that\n                  they had no authority to conduct testing or review security\n                  practices and were not aware of financial information system\n                  security weaknesses disclosed by our Fiscal Year 2001\n                  Financial Statement Audit until several months after they were\n                  reported.\n\n              \xe2\x80\xa2   In another instance, we observed that senior management\n                  officials did not agree on the identification of mission critical\n                  systems and commensurate protective measures. As a result,\n                  at the time of our review, the Commission had not identified\n                  which systems were critical to continuing operations of the\n                  agency.\n\n              \xe2\x80\xa2   Budgets for cyber security related activities were either not\n                  prepared or lacked sufficient specificity to determine whether\n                  they addressed individual system lifecycle security costs.\n\n         The Commission also had not developed and implemented cyber\n         security related performance goals as required by the Government\n         Performance and Results Act of 1993 (GPRA). The Commission\n         acknowledged the lack of such measures in its 2001 GISRA submission\n         to the OMB but has yet to develop a method for tracking progress in\n         this important area. For instance, specific measures and a metric\n         system capable of measuring progress in areas, such as agency-wide\n         security planning, including security training, and a certification and\n         accreditation process, had not been implemented. While the\n         Commission was tracking performance measurement weaknesses in its\n         Plan of Action and Milestones database, corrective actions related to the\n         development of such measures were not ranked as a high priority and\n         had not been completed.\n\n\n\nPage 6                                                          Details of Finding\n\x0cRisk of Compromise    The threat of compromise of critical information resources continues to\n                      grow as the Commission moves closer to a paperless environment. A\n                      lack of attention to implementing an effective cyber security program\n                      and not promptly correcting weaknesses identified during the FY 2001\n                      GISRA process increased the risk of compromise or malicious damage\n                      of the Commission\'s critical systems, some of which enable delivery of\n                      essential services to industry, members of the public, and other Federal\n                      agencies. In addition, a lack of cyber security training increases the risk\n                      that adequate measures will not be taken to protect the information\n                      included in the agency\'s systems.\n\n\nRECOMMENDATIONS       To improve cyber security within the Commission, we recommend that\n                      the Chairman:\n\n\n                         1. Clarify roles and authorities for the CIO related to the\n                            development and implementation of a Commission-wide cyber\n                            security protection program;\n\n                         2. Ensure that system security plans are approved, mission critical\n                            systems are identified, and that continuity of operations for the\n                            systems is assured through adequate contingency and disaster\n                            recovery planning;\n\n                         3. Ensure that cyber security objectives are given appropriate\n                            priority within the agency and cyber security costs are included\n                            in the system development life cycle; and\n\n                         4. Direct the establishment of performance goals, and an\n                            associated metrics system, for measuring progress in improving\n                            cyber security and correcting known weaknesses.\n\n\nMANAGEMENT REACTION   Management concurred with our recommendations and stated that it\n                      had addressed many observations identified in the report by enhancing\n                      certain elements of the cyber security program. Management also\n                      stated that it planned to work over the course of the next year to close\n                      evaluation findings through corrective action plans. The Commission\'s\n                      verbatim comments can be found in Appendix 3.\n\n\nAUDITOR COMMENTS      Management\'s comments were responsive to our recommendations.\n\n\nPage 7                                                   Recommendations and Comments\n\x0cAppendix 1\n\nSCOPE         Between June and August 2002 we performed a vulnerability\n              assessment of the Commission\'s cyber security program. Specifically,\n              we assessed controls over network operations to determine the\n              effectiveness of access controls related to safeguarding information\n              resources from unauthorized internal and external sources. The\n              evaluation included a limited review of general and application\n              controls in areas such as entity-wide security planning and\n              management, access controls, application software development and\n              change controls, and service continuity. Our work did not include a\n              determination of whether vulnerabilities found were actually exploited\n              and used to circumvent existing controls.\n\n\nMETHODOLOGY   We satisfied our evaluation objective by reviewing applicable laws and\n              regulations pertaining to cyber security and information technology\n              resources, such as GISRA, OMB Circular A-130 (Appendix III), and\n              the Clinger-Cohen Act, and reviewing the Commission\'s overall cyber\n              security program management, policies, procedures, and practices.\n              The Commission\'s headquarters was evaluated in conjunction with the\n              annual audit of the Department\'s Consolidated Financial Statements,\n              utilizing work performed by KPMG LLP, the OIG contract auditor.\n              The evaluation included analysis and testing of general and application\n              controls for systems as well as vulnerability and penetration testing of\n              networks.\n\n              We evaluated the Commission\'s implementation of GPRA related to\n              the establishment of performance measures for cyber security. We did\n              not rely solely on computer-processed data to satisfy our objectives.\n              However, computer-assisted audit tools were used to perform probes\n              of various networks and devices. We validated the results of the scans\n              by confirming the weaknesses disclosed with responsible on-site\n              personnel and performed other procedures to satisfy ourselves as to the\n              reliability and competence of the data produced by the tests. Because\n              our evaluation was limited, it would not have necessarily disclosed all\n              internal control deficiencies that may have existed at the time of our\n              evaluation.\n\n              The evaluation was conducted in accordance with generally accepted\n              Government auditing standards for performance audits and included\n              tests of internal controls and compliance with laws and regulations to\n              the extent necessary to satisfy the objectives. We held an exit\n              conference with management on September 10, 2002.\n\n\n\nPage 8                                                    Scope and Methodology\n\x0cAppendix 2\n\n                    RELATED OFFICE OF INSPECTOR GENERAL AND\n                      GENERAL ACCOUNTING OFFICE REPORTS\n\n\n    \xe2\x80\xa2    The Department\'s Unclassified Cyber Security Program, (DOE/IG-0519, August 2001).\n         While the Department has initiated certain actions designed to enhance cyber security, it has\n         not made sufficient progress in identifying and developing protective measures for critical\n         infrastructures or assets. For example, our audit disclosed that: 1) the identification of national\n         priority assets had not been finalized and the specific identification of critical cyber-related\n         assets had not begun; 2) corrective actions to address issues disclosed by our previous audit of\n         the Department\'s infrastructure protection program were progressing slowly and remained\n         incomplete; 3) specific, quantifiable infrastructure protection-related performance measures\n         had not been developed; and 4) the Department\'s critical infrastructure protection plan had not\n         been updated.\n\n    \xe2\x80\xa2    The Department of Energy\'s Implementation of the Clinger-Cohen Act of 1996, (DOE/IG-\n         0507, June 2001). While the Department has taken action to address certain information\n         technology related management problems, it has not been completely successful in\n         implementing the requirements of the Clinger-Cohen Act of 1996. We attributed the problems\n         identified, in part, to the Department\'s decentralized approach to information technology\n         management and the organizational placement of the CIO.\n\n    \xe2\x80\xa2    Fiscal Year 2000 Consolidated Financial Statements, (DOE/IG-FS-01-01, February 2001).\n         The report identified three reportable weaknesses in the Department\'s system of internal\n         controls pertaining to performance measures, financial management, and unclassified\n         information system security. Specifically, performance goals, in many cases, were not output\n         or outcome oriented and/or were not meaningful, relevant, or stated in objective or quantifiable\n         terms. The Department also had certain network vulnerabilities and general access control\n         weaknesses.\n\n    \xe2\x80\xa2    Executive Guide: Maximizing the Success of Chief Information Officers: Learning From\n         Leading Organizations, (GAO-01-376G, February 2001). The General Accounting Office\n         (GAO) issued this executive guide to provide pragmatic guidance that federal agencies can\n         consider in determining how best to integrate CIO functions into their respective organizations.\n         The guide provided critical success factors that, if implemented, will be useful towards\n         achieving a successful information technology environment.\n\n    \xe2\x80\xa2    Information Security: Serious and Widespread Weaknesses Persist at Federal Agencies,\n         (GAO/AIMD-00-295, September 2000). GAO noted that a major contributing factor to the\n         existence of security vulnerabilities was ineffective and inconsistent information technology\n         security management throughout the Department. GAO found that, among other things, the\n         Department had not prepared federally required security plans, effectively identified and\n         assessed information security risks, or fully and consistently reported security incidents.\n\nPage 9                                                                                      Related Reports\n\x0cAppendix 3\n\n             MANAGEMENT COMMENTS\n\n\n\n\nPage 10                            Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 11                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 12                  Management Comments\n\x0c                                                                              IG Report No.: DOE/IG-0569\n\n                                    CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its products. We\nwish to make our reports as responsive as possible to our customers\' requirements, and, therefore, ask that\nyou consider sharing your thoughts with us. On the back of this form, you may suggest improvements to\nenhance the effectiveness of future reports. Please include answers to the following questions if they are\napplicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or procedures of the\n   audit would have been helpful to the reader in understanding this report?\n\n2. What additional information related to findings and recommendations could have been included in this\n   report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall message more\n   clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues discussed in this\n   report which would have been helpful?\n\nPlease include your name and telephone number so that we may contact you should we have any questions\nabout your comments.\n\nName _____________________________             Date __________________________\n\nTelephone _________________________            Organization ____________________\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at (202) 586-\n0948, or you may mail it to:\n\n                                     Office of Inspector General (IG-1)\n                                           Department of Energy\n                                          Washington, DC 20585\n\n                                        ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of Inspector General,\nplease contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                            following address:\n\n\n                  U.S. Department of Energy, Office of Inspector General, Home Page\n                                       http://www.ig.doe.gov\n\n                    Your comments would be appreciated and can be provided on the\n                           Customer Response Form attached to the report.\n\x0c'